In the week that saw one of the world’s biggest IT outages, apparently caused by a cyber security firm no-less, a new Cyber Security and Resilience Bill was announced in the UK. The bill was set out in the King’s Speech on Wednesday last week (or, to be more precise, the background note accompanying the speech).
It was proposed in response to the increasing frequency and severity of cyber attacks affecting entities in critical sectors and their supply chains. Targets have included the Ministry of Defence, the British Library, Royal Mail, and most recently, the NHS. The latter was a supply chain attack which targeted pathology services provider Synnovis and resulted in thousands of delayed outpatient appointments and elective procedures across King’s College Hospital and Guy’s and St Thomas’ Hospital.
The Cyber Security and Resilience Bill aims to address existing vulnerabilities and strengthen the UK’s defences against cyber threats by expanding the scope of the current cyber regulations, empowering regulators and increasing reporting requirements.
The UK’s existing laws
The UK’s existing cybersecurity rules for critical sectors are set out in the Network and Information Systems (NIS) Regulations 2018. They originally transposed the EU NIS Directive (see below).
They apply to operators of essential services in a range of sectors including water, digital infrastructure, energy, health, transport and to certain digital service providers (online marketplaces, online search engines and cloud computing services) and impose a range of security and incident notification obligations on those entities.
Plans to update the regulations have been in place for some time. Post-implementation reviews of the NIS Regulations found they required modernisation to reflect current threats and back in 2022 the previous government announced its intention to update them, subject to finding a suitable legislative vehicle to do so, as soon as parliamentary time would allow. This time was never found. Its proposals had included bringing managed services in the scope of digital service providers, providing ministers with the power to add new sectors and subsectors, and introducing a full cost recovery model for the NIS Regulations (for more details see out blog).
What will the Bill do?
The new Cyber Security and Resilience Bill proposed by the current government and announced as part of the King’s Speech will modernise the existing regime by:
- expanding the remit of the regulation to protect more digital services and supply chains, as those are increasingly attractive to attackers;
- putting regulators on a strong footing to ensure essential cyber safety measures are being implemented, including by introducing potential cost recovery mechanisms and providing powers to proactively investigate vulnerabilities; and
- mandating increased incident reporting to give government better data on cyber attacks (including where a company has been the subject of a ransom attack).
The changes are similar to those proposed by the previous government, for example, in relation to introducing a potential cost recovery mechanism. However, the current proposal is very high level, and we await a more detailed draft of the bill for more information.
What is happening in the EU in parallel?
The EU has been moving quickly to legislate in the field of cybersecurity and has been very proactive in setting technical standards and establishing cooperation frameworks on cyber risk prevention and response.
The NIS Directive is being superseded by the NIS 2 Directive, which entered into force on 16 January last year and should be transposed by EU Member States by 17 October this year. The NIS 2 Directive makes a number of wide-reaching changes to the existing EU cybersecurity regime for network and information systems. See our blog for more details.
Recent developments in relation to the NIS 2 Directive include a consultation on a draft implementing regulation launched by the European Commission on 27 June. The draft implementing regulation will apply to entities such as cloud computing service providers, data centre service providers, and providers of online marketplaces, search engines and social networking services platforms and will set out the technical and methodological requirements for risk management measures and the criteria for when an incident will be considered significant for the purposes of the NIS 2 Directive for those entities.
Comment
To-date the UK has been slow to modernise its NIS regime, despite identifying a need to do so. Although the previous government made steps to update the NIS Regulations, the fact that this was not prioritised, combined with a very proactive EU, has meant that the UK was starting to lag behind its neighbouring countries. The proposed Cyber Security and Resilience Bill should mean that the UK finally follows suit in implementing a more modern and responsive cybersecurity regulatory framework for critical sectors.